Excellent, Thanks Mike for such a detailed explanation, definitely I am going for mod_jk now, will keep you posted.
Thanks a ton everybody :) Cheers, Mandeep On Wed, May 30, 2012 at 9:02 PM, Mike <[email protected]> wrote: > Mandeep. Nice looking site. > > Regarding your issue, you REALLY want to use apache using mod_jk in front > of ofbiz. Here is why: > > 1) You can offload the processing of images to apache (less load on ofbiz) > 2) You can easily set cache timeouts for images, css, and other static > content. > 3) You can easily add a normal HTML static pages (/static/*.html) w/o using > ofbiz > 4) It is easier to offload SSL certificate management to apache > 5) You can setup gzip compression (DEFLATE) > 6) You can load balance to multiple instances of ofbiz via apache mod-jk. > 7) Apache runs as the user 'nobody' (not root). Ofbiz can do the same. > 8) Most Important: You can add security to your site by locking out admin > links. > > Regarding #8. If you are running an ecommerce site, you DON'T want people > from the internet to even attempt to gain access (i.e. login as 'admin' to > 'catalog'). Do you think amazon.com allows 'admin' login to the backend > from their main site? Absurd to even ask. This is basic internet > security. > > Instead, have front-end machines that serve ecommerce, and have back-end > machines that allows access to /catalog, etc. via a VPN, or a local subnet. > > I have found that this setup runs faster, and you have more flexibility. > > Here is a sample apache (port 80) configuration file: > -------------------------------------------------------------------------- > Alias /images/ /opt/ofbiz/framework/images/webapp/images/ > DocumentRoot /var/www/ > <Directory /> > Options FollowSymLinks > AllowOverride None > </Directory> > <Directory /var/www/> > Options FollowSymLinks MultiViews > AllowOverride None > Order allow,deny > allow from all > </Directory> > > ExpiresActive On > #ExpiresByType text/html "access plus 1 day" > ExpiresByType text/css "access plus 1 day" > ExpiresByType text/javascript "access plus 1 day" > ExpiresByType image/gif "access plus 1 week" > ExpiresByType image/jpeg "access plus 1 week" > ExpiresByType image/png "access plus 1 week" > ExpiresByType image/bmp "access plus 1 week" > ExpiresByType application/x-javascript "access plus 1 day" > ExpiresByType application/x-shockwave-flash "access plus 1 day" > > ProxyRequests Off > <Proxy *> > AddDefaultCharset off > Order deny,allow > Allow from all > </Proxy> > > ProxyVia On > > NameVirtualHost *:80 > > <VirtualHost *:80> > # General setup for the virtual host. > ServerName example.com > ServerAdmin [email protected] > AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css > application/x-javascript text/javascript text/x-js application/json > application/xml application/javascript > BrowserMatch ^Mozilla/4 gzip-only-text/html > BrowserMatch ^Mozilla/4\.0[678] no-gzip > BrowserMatch \bMSIE\s7 !no-gzip !gzip-only-text/html > BrowserMatch \bMSIE\s8 !no-gzip !gzip-only-text/html > > ProxyRequests Off > ProxyPreserveHost On > > ProxyPassMatch ^(/images/.*)$ ! > proxyPass /content ajp://127.0.0.1:8009/content > proxyPass /ecommerce ajp://127.0.0.1:8009/ecommerce > proxyPass /tempfiles ajp://127.0.0.1:8009/tempfiles > #proxyPass / ajp://127.0.0.1:8009/ > > RewriteEngine On > ReWriteRule ^/(.*);jsessionid=.*$ /$1 [R=301] > RewriteRule ^/(images/.+);jsessionid=\w+$ /$1 > RewriteRule ^/.*\.svn /some-non-existant-404-causing-page > </VirtualHost> > -------------------------------------------------------------------------- > > Here the matching SSL (port 443) apache config: > ---------------------------------------------------------------------- > <IfModule mod_ssl.c> > <VirtualHost *:443> > ServerName example.com > ServerAdmin [email protected] > > ProxyRequests Off > ProxyPreserveHost On > ProxyPassMatch ^(/images/.*)$ ! > proxyPass /content ajp://127.0.0.1:8009/content > proxyPass /ecommerce ajp://127.0.0.1:8009/ecommerce > proxyPass /tempfiles ajp://127.0.0.1:8009/tempfiles > #proxyPass / ajp://127.0.0.1:8009/ > > RewriteEngine On > ReWriteRule ^/(.*);jsessionid=.*$ /$1 [R=301] > RewriteRule ^/(images/.+);jsessionid=\w+$ /$1 > RewriteRule ^/.*\.svn /some-non-existant-404-causing-page > > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > SSLEngine on > SSLCertificateFile /etc/ssl/certs/example.com.crt > SSLCertificateKeyFile /etc/ssl/private/example.com.key > > <FilesMatch "\.(cgi|shtml|phtml|php)$"> > SSLOptions +StdEnvVars > </FilesMatch> > <Directory /usr/lib/cgi-bin> > SSLOptions +StdEnvVars > </Directory> > > BrowserMatch "MSIE [2-6]" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > # MSIE 7 and newer should be able to use keepalive > BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown > </VirtualHost> > </IfModule> > ---------------------------------------------------------------------- > > If you decide that you don't care about locking out /catalog and other > admin stuff, just use the: > > proxyPass / ajp://127.0.0.1:8009/ > > And comment out the other proxy statements. > > On Tue, May 29, 2012 at 6:29 PM, Mandeep Sidhu <[email protected] > >wrote: > > > Hi, > > > > I am developing an ecommerce store using ofbiz, can be found here > > > > http://www.simbacart.com > > > > > > The production system is a Unix box, running apache server and then Ofbiz > > as a service. > > > > My question to you is, how to map the 80 port of prod server with the > > ofbiz's 8080 port, also about the mapping of 8443 port. > > > > I was able to map the 80 port by making an entry into the IP table of the > > Unix system thereby forwarding requests from 80 port to 8080. > > > > http://www.simbacart.com > > > > Above mentioned is the store in conversation. > > > > Now, here's the problem, till 80 port it is fine, but when it comes to > 8443 > > this is the kind of URL I get. > > > > > > > https://www.simbacart.com:8443/control/newcustomer;jsessionid=E34540BB92549853EAC60AC175ACECE6.jvm1 > > > > Notice the 8443 in the url. > > This url came when I used the tag <@ofbizUrl>/newcustomer</@ofbizUrl>. > > > > Can you please help me out in setting up this, I'd really appreciate it. > > > > -- > > Mandeep Singh Sidhu > > > -- Mandeep Singh Sidhu
